Configuring TCP Wrappers

Configuring TCP Wrappers

UnixWare provides an implementation of ``TCP Wrappers'' which has been compiled from source code written by Wietse Venema (wietse@wzv.win.tue.nl). This facility allows you to control access by hosts to service daemons that are started by inetd, such as in.tftpd, in.rlogind, in.telnetd, and in.rexecd.

NOTE: You can use TCP Wrappers instead of packet filters or in addition to them.

The principle by which the wrappers operate is simple:

inetd(1Mtcp) receives a request for a service from a client host.
Using an appropriately modified entry in the inetd.conf(4tcp) configuration file, inetd invokes the wrapper daemon, in.tcpd(1Mtcp), instead of starting the daemon for the service being requested.
in.tcpd consults the lists of rules in the files /etc/inet/hosts.allow and /etc/inet/hosts.deny.
If the host is explicitly allowed access to a service in hosts.allow, in.tcpd immediately invokes the service daemon.
Otherwise, if the host is not explicitly denied access to the service in hosts.deny, it is implicitly allowed and in.tcpd invokes the service daemon.

By default, many service daemons are configured to be started via in.tcpd. You can immediately control host access to services by adding appropriate entries to the hosts.allow and hosts.deny files.

Logging TCP Wrapper events

By default, the TCP Wrapper daemon, in.tcpd logs events via syslog to /var/adm/syslog. This file will contain the log entries of refused connections.

Entries in the log look similar to the following:

   date host server[pid]: refused connect from host

Testing TCP Wrapper configurations

You can use the tcpdmatch(1Mtcp) program to test if a user will be allowed to connect to a given service with the current rule set. For example, enter the following command to see if the local host (127.0.0.1) is allowed to telnet into itself:

tcpdmatch in.telnetd 127.0.0.1

The following output from this command shows that line 46 in /etc/inet/hosts.deny disallows the connection:

   client: address 127.0.0.1
   server: process in.telnetd
   matched: /etc/inet/hosts.deny line 46
   access: denied

Examples of configuring TCP Wrappers

The following example entries in hosts.allow would allow access to all services by all hosts in the local domain (mynet.com):

   ALL: .mynet.com : ALLOW
   ALL: ALL: DENY

Alternatively, to prevent access only by hosts in the domain acme.com, the following entries would be needed in hosts.deny:

   ALL: .acme.com: DENY
   ALL: ALL: ALLOW

It is also possible to configure ``booby traps''. These warn you if an attacker may be using a service such as TFTP to try and gain access to files on your system. An example of a booby trap is the following entry from the hosts.deny file:

   in.tftpd: ALL: spawn (/usr/sbin/safe_finger -l @%h | \
   	/usr/bin/mail -s tftp-%d-%h root) &

Instead of the requested file, in.tcpd uses the safe_finger program to send a finger probe to the attacking host. It then mails the result to root. Obviously, if the attacker is blocking finger or does not run the finger daemon, the probe will fail but the event will still be logged.

Attempts to hack into a system are sometimes initiated via finger and telnet. The following booby traps will warn you of such events:

   in.fingerd: ALL: spawn (/usr/sbin/safe_finger -l @%h | \
   	/usr/bin/mail -s finger-%d-%h root) &
   in.telnetd: ALL: spawn (/usr/sbin/safe_finger -l @%h | \
   	/usr/bin/mail -s telnet-%d-%h root) &

WARNING: Do not booby-trap in.fingerd with safe_finger unless you are prepared to accept possibly infinite finger loops. This can happen if the remote side has also set a booby trap with safe_finger on in.fingerd.

The following entries in hosts.allow would allow normal TFTP, finger and telnet access from hosts in the local domain (mynet.com) without invoking the booby traps:

   in.tftpd:   .mynet.com
   in.fingerd: .mynet.com
   in.telnetd: .mynet.com

The following entries in hosts.allow would allow access to the above services from the domain mynet.com and subdomains such as rivers.mynet.com but block access from seas.mynet.com:

   in.tftpd:   .mynet.com EXCEPT .seas.mynet.com
   in.fingerd: .mynet.com EXCEPT .seas.mynet.com
   in.telnetd: .mynet.com EXCEPT .seas.mynet.com

For more about TCP Wrappers

For more information about using TCP Wrappers to configure access control, please consult the following manual pages.